Skip to content

Tag signatures seem to be broken #1065

Closed
Closed
Tag signatures seem to be broken#1065
@tomaszzielinski

Description

@tomaszzielinski
tomaszzielinski
opened on Jul 24, 2019

It seems that something is wrong with signing base Node images' tags on Docker Hub:

$ DOCKER_CONTENT_TRUST=1 docker pull node
Using default tag: latest
Pull (1 of 1): node:latest@sha256:f0b151a0f4226e67e40afddbc9e0a37e697f8eb32d5cd8b1a55d5b238f04581b
sha256:f0b151a0f4226e67e40afddbc9e0a37e697f8eb32d5cd8b1a55d5b238f04581b: Pulling from library/node
Digest: sha256:f0b151a0f4226e67e40afddbc9e0a37e697f8eb32d5cd8b1a55d5b238f04581b
Status: Image is up to date for node@sha256:f0b151a0f4226e67e40afddbc9e0a37e697f8eb32d5cd8b1a55d5b238f04581b
Tagging node@sha256:f0b151a0f4226e67e40afddbc9e0a37e697f8eb32d5cd8b1a55d5b238f04581b as node:latest

$ docker images --digests node | grep latest
node                latest              sha256:f0b151a0f4226e67e40afddbc9e0a37e697f8eb32d5cd8b1a55d5b238f04581b   9ba05fbb174a        5 months ago        900MB

$ docker pull node
Using default tag: latest
latest: Pulling from library/node
Digest: sha256:cd932f9ff15650a908bf5982c7c0c5aa032d378edcc5cf179a3f7fc8bc8683ef
Status: Downloaded newer image for node:latest

$ docker images --digests node | grep latest
node                latest              sha256:6e64f63a663a368cc81b28ed3c3e29e6b3784c04f0128be5aaa659157ed4d231   7c412a558705        12 days ago         907MB
node                latest              sha256:cd932f9ff15650a908bf5982c7c0c5aa032d378edcc5cf179a3f7fc8bc8683ef   7c412a558705        12 days ago         907MB

As you can see the signed node:latest tag is outdated while the unsigned one is recent (and matches node:12.6.0).
(By the way, there seem to be two digests for the same image, hopefully that's fine?)

Also, it appears that the recent images have no signed counterparts:

$ DOCKER_CONTENT_TRUST=1 docker pull node:12.6.0
No valid trust data for 12.6.0

But images pushed roughly 5 months ago are still signed:

$ DOCKER_CONTENT_TRUST=1 docker pull node:10.15
Pull (1 of 1): node:10.15@sha256:7050e0dffc069c9f2e8dedcd255d7e57d87bebf33d6a5d97bd4905fb2333db8c
sha256:7050e0dffc069c9f2e8dedcd255d7e57d87bebf33d6a5d97bd4905fb2333db8c: Pulling from library/node
Digest: sha256:7050e0dffc069c9f2e8dedcd255d7e57d87bebf33d6a5d97bd4905fb2333db8c
Status: Image is up to date for node@sha256:7050e0dffc069c9f2e8dedcd255d7e57d87bebf33d6a5d97bd4905fb2333db8c
Tagging node@sha256:7050e0dffc069c9f2e8dedcd255d7e57d87bebf33d6a5d97bd4905fb2333db8c as node:10.15

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions